Defending hardware and data against malicious cyber attacks
The exposure this year of the Meltdown and Spectre flaws in computer processors has given added urgency to the work of an EU-funded project to protect systems against 'side-channel' attacks.
© #168805184 | Author: BillionPhotos.com, 2018 fotolia.com
We like to believe that passwords and security keys provide adequate protection for sensitive data, but there is now growing awareness of how computer security can be foiled by side-channel attacks.
These attacks use information gleaned by, for example, analysing patterns of power consumption or timing behaviour to force a processor to disclose secret information such as passwords. The EU-funded SOPHIA project is aiming to address this challenge and work with manufacturers to keep vast amounts of data safe.
There has been a lot of research on cryptographic algorithms, but so far the research on how to secure processor systems as a whole against all types of side-channels has been very limited, says Stefan Mangard, who leads the project. Our goal is to research how to build processors and software for processors that provide security even in the presence of side-channel attacks.
We want to ensure only authorised users can access their data and nobody else.
All kinds of processors are vulnerable, including those in smartphones, desktops, laptops and many other electronic devices as well as in the servers and data-storage centres that make up the internet.
Mangards team, at Graz University of Technology, Austria, was one of the groups that uncovered two new and unexpected hardware vulnerabilities in computer processors this year.
As a first step, SOPHIA had been exploring the susceptibility of current processors to side-channel attacks when the researchers stumbled across two vulnerabilities, now called Meltdown and Spectre, which allow a malicious program to steal data such as passwords from other programs running on the same machine.
They soon discovered the same problems had been identified by another team a few months earlier, and the joint discovery was made public in January 2018. The revelation shocked the computing industry and blew away the scepticism that Mangard had encountered in arguing for greater attention to be paid to the danger of side-channel attacks.
Proof of protection
We didnt really expect that a side-effect could have such a huge impact that it can completely bypass the isolation mechanisms between the operating system and the users which are currently in place in all large processors, Mangard says. Its now clear this problem is not going away by itself and that we really need to work on it. Its huge justification for the research we are doing.
The team has achieved a second important result: a new method for defending hardware circuits against side-channel attacks that exploit patterns in power consumption. This introduces randomness into computations to prevent exploitable patterns from emerging. They have also devised a tool to formally prove that a circuit is protected from such attacks.
Mangard and his colleagues are in contact with manufacturers to ensure that the findings from SOPHIA are incorporated into the next generation of processors as early as possible.
There is still a lot of research ahead, he says. Considering the economic impact of cyber-crime, the potential impact of our research is very large. The Meltdown and Spectre attacks that we published so far are additional motivation to dig deeper and find good mechanisms for securing processors and solving the problem. This is our main focus for the next few years.